COVID-19 is by far the most popular topic exploited by cybercriminals in phishing and malspam campaigns. Recently, attackers have found a new and effective way to convince the user to open a malicious attachment. Researchers at IBM X-Force discovered a malicious campaign that used emails pretended to be messages from the U.S. Department of Labor. […]
Last week, CISA, FBI, and DoD released malware analysis reports on recently discovered tools of the notorious Lazarus group that perform operations in the interests of the North Korean government. The malware variants, called COPPERHEDGE, TAINTEDSCRIBE, and PEBBLEDASH, can be used for reconnaissance and deleting confidential information on target systems. TAINTEDSCRIBE malware is used as […]
NetWire is a publicly-available Remote Access Trojan that is a part of the NetWiredRC malware family used by cybercriminals since 2012. Its primary functionality is focused on credentials stealing and keylogging, but it also has remote control capabilities. Adversaries often distribute NetWire through malspam and phishing emails. In a recent campaign, cybercriminals targeted users in […]
We start the week with a new rule from Emir Erdogan – HawkEye Multiple Detection (Covid19 Themed Phishing Campaign). This malware is also known as Predator Pain steals a variety of sensitive information from the infected system, including bitcoin wallet information and credentials to browsers and mail clients. The stealer is capable of taking screenshots […]
This digest includes rules from both members of the Threat Bounty Program and the SOC Prime Team. Let’s start with rules by Arunkumar Krishna which will debut in our Rule Digest with CVE-2020-0932: A Remote Code Execution Bug in Microsoft SharePoint. CVE-2020-0932 was patched in April, it allows authenticated users to execute arbitrary code on […]
This week we want to highlight the community Sigma rule by Emir Erdogan that helps detect Nefilim/Nephilim ransomware used in destructive attacks. This ransomware family was first discovered two months ago, and its code is based on NEMTY ransomware which emerged last summer as a public affiliate program. It looks like NEMTY forked into two […]
Remcos RAT was first spotted in 2016. Now it hat purports to be a legitimate remote access tool but it was used in multiple global hacking campaigns. On various sites and forums, cybercriminals advertise, sell, and offer the cracked version of this malware. Since the end of February, security researchers have discovered several campaigns that […]
Floxif Trojan is primarily known for being used by the Winnti group, they distributed it with the infected CCleaner, which was downloaded by users from the official site. The attack occurred in September 2017, attackers allegedly gained access to CCleaner’s build environment. Floxif Trojan was used with Nyetya Trojan to collect information about infected systems […]
We continue to draw your attention to rules whose capabilities are beyond the more common detection content analyzing Sysmon logs. Today in our digest there are two rules for detecting attacks on Web Servers, a continuation of a series of rules (1, 2) for discovering traces of Outlaw hacking group attacks, and detection content that […]
Most of the rules published on the Threat Detection Marketplace are aimed at detecting attacks on Windows systems. This is not surprising since most of the threats specifically targeted at the Microsoft operating system, as it is the most popular. But there are serious threats for other operating systems, so today we will tell you […]